Unauthenticated RCE Chain in Trend Micro Mobile Security Enterprise
Trend Micro Mobile Security (Enterprise) 9.8 SP5 through Critical Patch 3 contains two critical flaws, CVE-2023-32523 and CVE-2023-32524, that allow unauthenticated attackers to achieve pre-authenticated remote code execution by chaining an authentication bypass with unrestricted file upload and local file inclusion weaknesses. In both cases, the application trusts a user-controlled session_info cookie at the /widget endpoint, automatically creates missing WFUser accounts with blank passwords, and binds them to a valid PHP session, giving attackers authenticated access without valid credentials.
Attackers can then upload an arbitrary PHP file such as PoolManager.php into C:\Windows\Temp through proxy_controller.php and execute it via path traversal or unsanitized require_once input in widget_package_manager.php or widgetforsecurity_package_manager.php. The bugs are rated CVSS 9.8, require no authentication or user interaction, and could enable arbitrary code execution on the appliance and follow-on lateral movement. Trend Micro issued fixes on April 18, 2023, and defenders were advised to inspect C:\Windows\Temp for unexpected PHP files and review logs for suspicious requests hitting the vulnerable endpoints in close succession.
Timeline
Aug 22, 2023
STAR Labs publicly discloses CVE-2023-32523 and CVE-2023-32524 details
On 2023-08-22, STAR Labs published advisories for CVE-2023-32523 and CVE-2023-32524, describing how user-controlled session cookies could create blank-password accounts and enable pre-authenticated RCE. The advisories also included exploitation details and detection guidance such as checking for suspicious PHP files in C:\Windows\Temp and reviewing requests to vulnerable endpoints.
Apr 18, 2023
Trend Micro releases patch for CVE-2023-32523 and CVE-2023-32524
Trend Micro released fixes on 2023-04-18 for two critical authentication bypass vulnerabilities in Mobile Security (Enterprise) 9.8 SP5 up to Critical Patch 3. The flaws could be chained with unrestricted file upload and local file inclusion issues to achieve unauthenticated remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Unauthenticated RCE Vulnerability in Trend Micro Apex Central (CVE-2025-69258)
A critical remote code execution vulnerability, tracked as CVE-2025-69258, was discovered in Trend Micro Apex Central (on-premise), allowing unauthenticated attackers to load a malicious DLL into the `MsgReceiver.exe` process and execute code with SYSTEM privileges. The flaw, along with two related vulnerabilities (CVE-2025-69259 and CVE-2025-69260), was privately reported by Tenable researchers and affects all previous releases of Apex Central prior to Critical Patch Build 7190. Exploitation requires only network access to the vulnerable system, and technical details as well as proof-of-concept exploits have been publicly released. Trend Micro has issued a critical patch to address these vulnerabilities and strongly urges customers to update to the latest build immediately. The company also recommends reviewing remote access policies and perimeter security to mitigate potential exploitation. The vulnerabilities can be triggered by sending specially crafted messages to the `MsgReceiver.exe` process, which listens on TCP port 20001, with CVE-2025-69258 enabling code execution and the others causing denial of service. No affected product versions were explicitly listed in the CVE database at the time of disclosure, but all prior releases are considered vulnerable.
1 months ago
Authenticated SQL Injection Flaws in Trend Micro Apex Central Enable RCE
Trend Micro Apex Central 2019 **Build 6016 and earlier** contains two high-severity authenticated SQL injection vulnerabilities, **`CVE-2023-32529`** and **`CVE-2023-32530`**, that can be escalated to remote code execution. The flaws affect the `modTMMS` certificate-handling workflow, where user-controlled X.509 certificate fields are incorporated into SQLite queries without proper validation, including the `AddCert()` and `DeleteCertById()` paths. Researchers said even low-privilege authenticated users can exploit the bugs by uploading crafted certificate data through `proxy_controller.php`, using `module=modTMMS` and `tmms_cmd=set_certificates_config` to reach the vulnerable functionality. Because Apex Central uses SQLite on the backend, attackers can abuse the injection to write a malicious PHP file into the webroot and execute system commands as the **`IUSR`** account. Both issues carry a **CVSS v3.1 score of 8.8** and were patched by Trend Micro on **December 19, 2022**, before public disclosure by STAR Labs and ZDI. Defenders are advised to update Apex Central to the latest available version and inspect the widget repository directory for suspicious PHP files that could indicate compromise.
3 weeks ago
Critical RCE Vulnerabilities in Trend Micro Apex One Management Console
**Trend Micro patched two critical remote code execution vulnerabilities in *Apex One* affecting Windows environments**, both caused by **path traversal weaknesses in the Apex One management console**: `CVE-2025-71210` and `CVE-2025-71211`. Trend Micro stated exploitation requires an attacker to have access to the management console, and warned organizations with consoles exposed to the internet to apply mitigations such as source/IP restrictions and to update to the latest builds; the fixes include updates for SaaS deployments and **Critical Patch Build 14136** for affected on-prem installations. Canada’s Centre for Cyber Security issued advisory **AV26-168** urging administrators to apply Trend Micro’s updates for **Apex One (on-premise)**, **Apex One as a Service (SaaS)**, and **Trend Vision One Endpoint / Standard Endpoint Protection (SaaS)**. Neither advisory indicated confirmed exploitation in the wild for these specific CVEs at the time of publication, but the vendor and reporting highlighted that **Apex One vulnerabilities have been actively exploited in prior campaigns**, reinforcing the need for rapid patching and exposure reduction of management interfaces.
1 months ago